Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3

Thread: PEAR validate

  1. #1
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts

    PEAR validate

    Hi

    I am having a few problems with the PEAR validate extension. I need to be able to validate an input string. However I need to allow HTML special chars in the validation, at present including such strings causes validation to fail.

    PHP Code:
    function inputbox_validate($post_obj)
        {
            
    // Ensures data is English alpha numeric with possible whitespaces and punctuation including name punctuation
            // Not really working with ENT_QUOTES etc
            
    if(!Validate::string($post_obj,  array("format"=>VALIDATE_NUM.VALIDATE_EALPHA.VALIDATE_PUNCTUATION.VALIDATE_SPACE.VALIDATE_NAME,"min_length"=>1,"max_length"=>256)))
                
    $post_obj=NULL;
                
            return 
    $post_obj;
        }


    echo 
    inputbox_validate('Jamie's)
    //output: NULL 
    I can add extra predifned Regex in Pear. Here is an example of the predefined constants already available.

    PHP Code:
    define('VALIDATE_NUM',          '0-9');
    define('VALIDATE_SPACE',        '\s');
    define('VALIDATE_ALPHA_LOWER',  'a-z');
    define('VALIDATE_ALPHA_UPPER',  'A-Z');
    define('VALIDATE_ALPHA',        VALIDATE_ALPHA_LOWER VALIDATE_ALPHA_UPPER);
    define('VALIDATE_EALPHA_LOWER'VALIDATE_ALPHA_LOWER '');
    define('VALIDATE_EALPHA_UPPER'VALIDATE_ALPHA_UPPER '');
    define('VALIDATE_EALPHA',       VALIDATE_EALPHA_LOWER VALIDATE_EALPHA_UPPER);
    define('VALIDATE_PUNCTUATION',  VALIDATE_SPACE '\.,;\:&"\'\?\!\(\)');
    define('VALIDATE_NAME',         VALIDATE_EALPHA VALIDATE_SPACE "'");
    define('VALIDATE_STREET',       VALIDATE_NAME "/\\\."); 
    Last edited by timgolding; 10-30-2007 at 04:39 PM.
    You can not say you know how to do something, until you can teach it to someone else.

  • #2
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,108
    Thanks
    11
    Thanked 101 Times in 99 Posts
    one of the goals of validation is to prevent html or scripts so messing with the function itself seems a bad idea.

    you could validate a string stripped of tags...

    PHP Code:
    <?
    $validate_this
    =strip_tags($str);
    if(
    inputbox_validate($validate_this)!=NULL){
      
    //stripped data is in a valid format
      //$str however is still insecure
    }
    ?>
    but then whilst you know the text passed is a valid name , you dont know what malicious scripts they may have passed in $str;
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #3
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    I had thought of this however if i completely strip tags that removes ENT_QUOTES. I can replace these first but then the validator fails. Basically validation fails if I put ENT_QUOTES or SPECIAL CHARS. which is what I intend to allow.
    You can not say you know how to do something, until you can teach it to someone else.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •